ON THE DISCRETE LOGARITHM PROBLEM 
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, Abstract. Let p > 2 be prime and g a primitive root modulo p. We present an argu- 

ment for the fact that discrete logarithms of the numbers in any arithmetic progression are 
■ uniformly distributed in [l,p] and raise some questions on the subject. 

in 

(N 

f_i ! 1. Introduction 

Before the middle of the last century, discrete logarithms were just common tools used 
to perform calculations in finite fields. Then, with the development of cryptography, their 
importance raised considerably, especially after Diffie and Hellman [1] created the key ex- 
change algorithm, the first practical public key cryptosystem. Many cryptosystems, such 
as the Diffie- Hellman key agreement and its derivatives, ElGamal public-key encryption, 
ElGamal signature scheme and its variants, DSA, etc. (see [2], [3], [I]) are based on the 
assumption that discrete logarithms are hard to compute. Considerable efforts have been 
made to find algorithms that speed up the calculation of discrete logarithms, but nobody 

O 

knows how one could prove that a very fast algorithm does not exist. 
^ . A strong argument would require proofs for the random distribution characteristic of 

the set containing the discrete logarithms of the elements of a "regular" subset of [0,p — 
1] (a subinterval being just the first try), when p — > oo. This feature is suggested by 
numerical evidences for small p and by most of the work done around the cryptosystems 
based on discrete logarithms (see [I] and [6] and the references within). Recently, Banks and 
Shparlinski [Tj have obtained nice results in this direction. 

Discrete logarithms can be defined in general groups, but we reduce here only to the 
group Q = Tj/plj of residue classes modulo a prime p > 2. Given any g e Q and n e N, let 
g n :— g ■ ■ ■ g be the discrete exponentiation function. We will assume that g is a generator 

n g's 



2000 Mathematics Subject Classification. Primary 11A07; Secondary 11B50, 11L07 . 

Key Words and Phrases: Discrete logarithms, exponential sums, characters, primitive roots. 

1 



2 CRISTIAN COBELI 

of Q, that is, g is a primitive root modulo p. Then, for any x G Q, the discrete logarithm 
problem requires to find the smallest integer with the property that g n = x (mod p). Since 
g is a primitive root, the power n always exists in the interval [0,p — 1]. We denote it by 
n = log g x = logx, and call it the the discrete logarithm of x to base g. 

Notice that the discrete logarithm function is the inverse of the discrete exponentiation 
function and it has the properties logl = and logxy = logx + logy (mod p — 1), for any 
x,y EG. 

Let a > 0, r > 0, N > be integers, and set J = {a + r, . . . , a + iVr} C [l,p — 1]. Denote 
£(<?, J) = C(g) := { log s (a + jr) : 1 < j < N} 

and 

the image of J" in the torus R/Z. Then, any property regarding the spreading of the elements 
of J) over [0,p — 1] transfers into a similar one regarding the elements of Ai(g, J) over 
the torus, and conversely. Since our aim is to understand what happens when p gets large, 
and it is more convenient to work within the bounded space R/Z, in the following our focus 
will concentrate mainly on M.{g,J). 
The discrepancy of Ai{g) is defined by 

V(M(g); a, 0) := card (M(g) n [a,/3]) - {(5 - a) card (M(g)) , 

where < a < (5 < 1. In order to prove that -M(<?) is approximately uniformly distributed, 
which is the same as saying that J is uniformly distributed in we have to show that 

the extreme discrepancy 

V(M(g)) := 1 sup \V{M(g);a,(3)\ 

card [M(g) ) i<a</3<i 

becomes small when p gets large. This is the object of the following theorem. 
Theorem 1. There exist absolute constants c±, c 2 > ; such that if - < p(/3 — a), then 

\V(M(g);a, P) \ < c lP 1 / 2 logp(2 + logp(P - a)) (1.1) 
for any < a < (3 < 1, and 
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A consequence of Theorem [I] assures us that any interval whose length combined with the 
length of J exceeds a certain margin, contains plenty of elements of C(g). 

Corollary 1. For any 5 > 0, any subinterval of [0,p — 1] of length M contains at least 
(1 - 5)^ and at most (1 + 5)^y- elements of C(g,J), provided that MN > fp 3 / 2 \og 2 p 
for some absolute constant C3 > 0. 

2. Estimate of an Exponential Sum 

One way to get bounds for the discrepancies is to obtain estimates for certain exponential 
sums (see ( 12.71) below), and this our first point. 

Let 9 and £ be roots of unity of order p — 1 and p, respectively. We consider the twisted 
sum, called the Lagrangian resolvent of 9 and 

S(9,() :=( + 9(v + --- + 9 p - 2 (^ 2 . (2.1) 

Plainly 5(1,1) = p — 1 and it is known that 

5(0,0 <VP, (2.2) 
for all 9 and £ that are not both equal to 1. Let us see this for completeness. We have: 

p-2 p-2 



k=0 1=0 

p-2 p-2 

fc=0 1=0 
l^k 



Let us see that here, for any / fixed, the differences k — I run over the set of nonzero classes 
mod (p — 1). Then, since the order of both 9 and g is p — 1, the sums above are equal to 



p-2 p-2 p-2 p-1 

Jf„t 



i=l Z=0 t=l s=l 

p-2 

■(-!) = ! 



t=i 



and follows. 
By (123), we get 



p-2 

e kj c {9i ~ z) = C uz s{9 k , C) . (2.3) 

j=0 
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Then we sum relations (12.31) over 1 < u < p. Note that 

w=i I 0, otherwise, 

and observe that since < j < p — 2, the condition gi = z (mod p) can be written as 
j = log 9 z. These yield 



1 p 

^ «=1 



(2.4) 



Now taking 6* = e p _i(l) and £ = e p(l) ; where e g (x) := exp (^p), and summing equalities 
(I2.4p over z E J , we obtain 



£ ep_i (A; log, z) = -J2 S(0\ C) E e p(-^) 



(2.5) 



zej r n=l ZGJ7" 

The sum over z on the right-hand side is sharply bounded by 

N N 



—UZ) 



^2e p (u(a + jr)) = ^e p (uj 
i=i j=i 
2 



< min N. 



< min [N, 2 



e p (ur) - l| 
ur 



< min AT, 



sm 



(2.6) 



P 



where ||-|| is the distance to the nearest integer. Then, using the (12.21) and (12.61) in (12.51) . we 
conclude that 



1 p 

j2 e P-i( k l °& 9 z ) < - E pl/2 ■ min ( 2 

" u=l 



z£j 



ur 



p-i 



p-i 





ur 








p 



p 

-1 



-1 



(2.7) 



< Vp + p~ 1/2 - < Vp( 2 + logp) . 



The estimate (12. 7p is slightly more general than the Polya- Vinogradov inequality for character 
sums. 
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3. The Proof of Theorem [Q and Corollary CD 

A bound for the discrepancy can be deduced applying the Erdoos-Turan inequality [51 
Chapter 1, page 8]. This says that for any < a < (3 < 1 and any positive integer K, we 
have 

\V(M(g); a, (3)\ + 2 ^ + min (/? - «, -L)) ^ exp(2 m kx) 

fe=l ^ 71 ' xeM(g) 

Bounding the exponential sum by (12. 7p . the right-hand side is 

<^| 1 + 2 v ^(2 + logp)(l + f:min(/5-a, ±S) 

^ k=i ' 

<^ + 2^(2 + .o gP )(i + yj u,- a)+ yj JL)) 

Kk< , \ <k<K 

— — 7v(p — ot) 7r(p — a) — 

for some absolute constant c > 0. If we take K = p — 1 in this estimate, we obtain (11. ip . 
Next, let us see that if (3 — a < l/np, then Ai(g) contains at most one element, therefore 

^^^j^jl^Or); «, ^^s^j (l + 0? - «) caxdOUC^))) 

< . 

card(.M(#)) 

When (3 — a > I /ftp, we apply (11.11) . and obtain 

2 . 



\V(M(g);a, (3) < 



card(M(g))' 1 p card(.M(g)) 

d yfp lOg 2 P 



(3.2) 



< 



card(M(^)) ' 

for some absolute constant d > 0. Now (11.21) follows from (13. ip and (13.21) . and this concludes 
the proof of Theorem [TJ 

To prove Corollary (TJ let I = [s,t] C [0, p — 1] be any subinterval of length t — s = M > 0, 
and let 5 > 0. Let a = s/p and (3 = t/p. We may assume that 5 > 1/y/p, since otherwise 
the result is trivial. Let a, (3 G [0, 1] with (3 — a = N/p. 
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By the hypothesis, it follows that y/plog 2 p < c"MN/p for some c" > 0, and then by 
Theorem [TJ it implies that \T>(Ai(g); a, (3)\ < c"MN/p. This can be rewritten as 



(1-5) 



MN 



< caid(M(g) n [a,/3]) <(! + <?) 



MN 



P 



P 



which proves the corollary. 



4. A FEW OPEN PROBLEMS 



There are different points of view and ways to study the distribution of the elements 
of a certain sequence. But going further along the lines followed above, let us first notice 
that Theorem [1] and Corollary [1] applies not only to M.(g,J~), but for sets featuring certain 
patterns such as those generated when J is replaced by unions of arithmetic progressions, 
also. This is easy to see, since 



for any sets Mi, M 2 C [0, 1] with M± H M 2 = 0. 

A further step in the evaluation of changes produced by the discrete logarithm function 
would be to evaluate the discrepancy when the original set (J in the notation from the 
introduction) is additionally changed by a non linear transform. Such an example would 
require to estimate a sum such as, for instance, 



where P(x) = a + a x x + ■ • ■ + a n x n , with a , . . . ,a n integers, a n ^ (mod p) and n > 2. 

Another spreading factor appears if more than one primitive root are involved. Let 
g%, . . . , g r be primitive roots mod p and let a, b\, . . . , b r be integers. Then the problem 
is to find a nontrivial estimate for the sum 



Related to these questions is the problem that asks to study the changes produced by the 
discrete logarithm function in the order of its arguments. If the elements of C(g, J) were 
randomly distributed in [0,p— 1], then comparing the size, for Xi,x 2 6 J with x\ < x 2 , one 
expects that about half of the time log^xi < log 9 a;2 and half of the time log g xi > log 9 X2. 



V{Mi U M 2 ) = V(Mi) + V(M 2 ) , 



^2 e P-i{ p (\og g x)) , 



^2 e P-i ( ax + & i lo g 9 i % + b 2 log 92 x H h b r \og gr x) . 
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And similarly, for any fixed r > 2, when p — > oo, all the r! possible arrangements among the 
numbers \og g xi, . . . ,\og g x r G [0,p — 1] should occur with about the same frequency when 
(x 1 , . . . , x r ) runs over J r . 
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